Accounts

You are at the newest post.Click here
to check if anything new just came in.

10:35

A comment on the "hacker attack" on beppegrillo.it

Since some American friends are asking, I thought I'd share a few comments on the purported hack attack on a political movement here in Italy (source in English).

First, a brief reconstruction of the events (and note I'm trying to stay clear of political nuances, which is costing me some effort). In a few days, the Italian parliament is set to vote for the elections of our next President. Italy is a parliamentary democracy, and the President is elected jointly by the houses of parliament and other representatives of the Regions. Since it's a 7-year mandate, this is a particularly important moment in the Italian system.

The political movement in question, Movimento 5 Stelle, launched a poll (not a vote, technically, as the vote takes place only as I mentioned before) among its members (and not an open poll) to indicate "names" of personalities they should propose as next president. This is important, as it deflates the practical value of attacking such a system for any external threats (except politically motivated ones, for demonstration purposes). The names coming out of this poll would just be an "indication", for the MPs of the movement, on how to vote during the actual elections. An indication because, of course, at some point they might have a choice between an agreement other candidates or irrelevance (since there's a qualified majority needed to elect the President).

Now, the facts we know are that:

1) the movement leader decided to stop the poll and start it over, due to a purported "hacker attack" which was "detected" and "solved".

2) the event was discovered by DNV (a certification entity, hired to ensure that the election process was not flawed). The certification body states an anomaly was discovered, namely that there were more votes than registered voters.

3) DNV is not in the business of information security, but of compliance. They discovered the event by analyzing the process and the data, and discovering implausible values.

4) Contrarily to what immediately said in 1), the successive versions of the story talk of a "sophisticated intruder" that "hid their traces" and of a non-identified first moment of access

5) The software is realized in house, is not open source, and the servers which host it are owned and managed by the PR agency which supports the leader of the movement (which is also, we believe, the author of the software, or has contracted the author).

6) A facebook group claimed the "attack" was just a matter of organized trolling, i.e. that they basically accessed the voting system without control due to a flaw in the process and in restricting access.

What is my personal opinion on this, founded on my experience?

I honestly don't know whether or not a willing attacker was behind this event (I take exception, in general, to calling that attacker "hacker", but this is another story). However, since the practical value of a hidden attack against such a system is close to zero (given that this is a poll completely under the control of the movement leadership, which can call it off at any time or mangle the results as they see fit), the only reasonable course for a politically motivated attacker would be to make the system fail visibly (say, a defacement). Since nothing like this happened, my opinion is that an attack from an external entity is very unlikely.

But regardless of this, my opinion is that, most likely, what happened was the result of badly designed and written software, realized by less-than-competent people. Open source software for polling is available, tried and true, and could have been used. Honestly, this is not rocket-science, either. Also, the process of registration for voting should be scrutinized as it is probably part of the issue.

Finally, my opinion is that a poll managed and run by a PR agency working for the leader of a movement, on closed systems and with a software that has been specifically developed for this, has very little to do with any form of voting. The sheer fact that they needed to hire a certification body (DNV) to give some proof that the process was not flawed (resulting in the boomerang of having to admit it was) is a demonstration of a basic flaw.

The movement under discussion hosts a number of technically savy people who could easily form a committee to manage and run a neutral technology platform for this kind of polling, or for internal debate. The fact that this does not happen, alone, casts serious doubts on anything that is done "online" with a closed platform.

E-voting, or e-democracy, entails deeply complex research issues such as voter/citizen identification, guarantee of vote secrecy, guarantee of anonymity coupled with ensuring authentication, crowdsourcing of the management of online discussions, possibility of open scrutiny of the process by voters and third parties... This is difficult, friends, more difficult than you can possibly believe. There's only a few handfuls of experts around the world who know how to do this, and surely they don't work for a marginal PR company in Italy.

The obvious snake oil sign here is the classical statement "Well, no system can be 100% secure". That's obviously true. But some system can be immediately identified as incredibly stupid, or at very least terribly boorish.